1. Risk assessment: whether a large or small, every company should carry out a comprehensive assessment of its existing processes and procedures to identify what valuable assets (e.g. intellectual property, personal data and financial data) needs to be protected along side the specific risks and the potential impact on the business if those assets were compromised. Companies also need to consider their supply chain because many cyber incidents involve third party contractors which means steps should be taken to ensure that the contractual responsibility for preventing and dealing with cyber incidents is clear.
2. Incident management strategy: when a cyber incident occurs, time is of the essence and so it is important that companies know in advance what to do and who has responsibility for doing it. A key element of any incident management strategy is the establishment of an incident response team which should include representatives from all relevant groups ranging from HR and employee representatives to public relations and legal representatives.
3. Employee education and awareness: comprehensive policies and procedure should be in place (such as information security policy). Companies should establish a staff training programme including regular refresher training for all employees that aims to increase the levels of security expertise and knowledge across the company. It is important employees at all levels are aware of their obligations and responsibilities.
4. Regulatory and compliance governance: companies should assess their regulatory obligations as they may be subject to specific cyber security regulations.
5. Network and IT security: companies should take appropriate steps to ensure that networks and infrastructure are protected against external and internal attacks. In addition, the Data Protection Commissioner has issued a Code of Practice for dealing with personal data and security breach. Companies should familiarise themselves with this Code of Practice and ensure that all policies and procedures are lined with it. Furthermore when the General Data Protection Regulation comes into force in 2018, it will make the reporting of breaches mandatory, with substantial penalties for non-compliance.